Two things happened this week that got me thinking about social engineering. First, I bought a new iPhone for my son (Father of the Year!) and had it shipped directly to his house. Recall that Verizon makes it easy to buy a new phone and just add the cost to your monthly bill. It is the ultimate I-would-gladly-pay-you-Tuesday-for-a-hamburger-today experience. As I proceeded through the transaction, I thought about how easy it might be to break into someone’s Verizon account, order merchandise and have it shipped somewhere else. I was happy to see that Verizon had built in steps that required two-factor authentication to complete the job.
Second, I read about the two Las Vegas casinos (Caesar’s and the MGM Grand) being hacked by ransomware groups. In the MGM Grand case, news reports indicated that the breach happened due to a phone call with the resort’s Help Desk. I knew that this news would cause some of you to wonder if you are doing enough to prevent a similar social engineering attack from occurring on your watch.
Social Engineering Defined
Before I continue, let me define the term, “social engineering.” I like this definition from ENISA, the European Union Agency for Cybersecurity.
Social engineering refers to all techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.
My experience with social engineering dates to my high school days, back when I worked at an ice cream shop. A customer ordered two ice cream cones and paid with a five-dollar bill. (Hey, I said it was a while ago.) He proceeded to swap his money several times, ultimately convincing me to give him change back on his twenty-dollar bill. I was too flustered to figure out the scam until later, when the shop owner asked me about the mismatch between the register receipts and the change drawer total.
Hackers have used social engineering to breach accounts for years (here is an example). The scary part for security people is that it seems so easy to do and so hard to defend against. If we do not read about social engineering attacks very often, it is probably because hackers can get what they want using easier methods. See any of a gazillion stories about people giving up their passwords.
What Happened at MGM Grand
The story is still developing, but here is what we know. Hackers called the Help Desk, pretending to be a user who they knew had elevated administrative privileges. They convinced the Help Desk to reset the user’s password and MFA method. From there (and probably with some other hacking steps) the hackers were able to access the network, exfiltrate a pile of data, and lock up many of the hotel’s systems.
Consider some of the social engineering observations from the breaches at Caesar’s and the MGM Grand.
- Humans were the weak link in the security chain.
- The breach at Caesar’s originated with one of the hotel’s IT suppliers. Hmm, I believe we have previously talked about the need to account for your IT supplier’s security.
- The hackers may have used social media (especially LinkedIn) to select their target user.
The good news is that we already know about these techniques. They are why (join in the chorus) we must train users to recognize phishing techniques.
Consider These Steps
The better news is that you can take steps to combat social engineering.
- Think about self-service password reset. When we suggest this to customers, they push back by saying they want to offer this “human touch” to their users. That makes sense. However, with self-service password reset, the process follows an algorithm. Yes, the algorithm can be defeated, though not easily. The potential benefit is that the algorithm will not respond to social engineering. You could say that it will not get flustered.
- Strengthen your process. Many organizations protect themselves against the money transfer scam by requiring two levels of approval before sending a wire. In the MGM Grand case, they could create a process that requires supervisor approval before resetting an admin’s password.
- Narrow your MFA options to use of an authenticator app. Microsoft is now requiring this. You could even have admins use a FIDO2 key fob to authenticate.
- Go beyond tightening access. Create Conditional Access policies that restrict behavior that seems sketchy. For instance, limit or block admin access that occurs shortly after an admin account resets its password.
- Watch how many admin accounts you have. Get rid of the ones you no longer need.
You know that cybersecurity is a journey more than a destination. Hackers are going to hack. Accept that reality. And keep looking for ways to counter social engineering threats.